Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Web Application Security: What You Need to Know to Minimize Threats

Learn how practicing the basics of web application security and keeping up with the threat landscape can help keep your business secure.

When it comes to threat actors breaking into corporate networks and stealing data, most attacks start with relatively well-known vulnerabilities in web applications — the same ones corporations use to interact with their customers and the public at large.

“Web applications are still the top attack vector in terms of creating or causing data breaches,” said Nate Dyer, a senior product marketing manager at Tenable. And while web application security remains a major issue for enterprises, a few basic preventative measures can keep sensitive business and customer data safe.

During the recent Tenable webinar, Protect Your Web Applications from Component Vulnerabilities, Dyer and Eric Detoisien, Director of Research for Web Application Scanning (WAS) Content, discussed how — by paying attention to vulnerabilities and the threat landscape — businesses of all sizes can help pare back some of the attacks that can lead to a data breach and the headlines that come with it.

Web Application Security Basics

While web application vulnerabilities are the top source for data breaches in the enterprise, specific industries are more susceptible than others. These include healthcare, retail and even some public sector and government agencies — basically any organization that deals in large amounts of personally identifiable information (PII), credit card numbers or other types of customer data attackers look for during a breach.

At the same time, web applications — even the most simple looking, static webpage — are fairly complex. There’s the underlying content management system (CMS) that most pages are built on. Then there are the libraries and frameworks used to build these apps. And, finally, there’s typically custom code developers create to add functionality and other features for the businesses using these sites.

Each of these layers presents its own level of risk to the business. For example, the custom-code layer within most web applications is vulnerable to any of the Open Web Application Security Project (OWASP) Top 10 issues, including injections, misconfigurations or cross-site scripting.

Meanwhile, third-party web application components create their own unique set of problems. As an example, Dyer and Detoisien discussed Apache Struts and the unpatched vulnerability that eventually led to the breach at Equifax, which affected nearly 150 million customers and resulted in executive shake-ups, federal investigations and Congressional hearings. The issues with various CMS platforms are also well documented. “It seems every month, there’s a new vulnerability or a new exploit associated with either WordPress or Drupal or Joomla,” Dyer said.

Given the trove of personal data potentially accessible via web applications, it’s no surprise that attackers will swarm to take advantage of a vulnerability. Once a vulnerability is discovered, threat actors use what Detoisien described as “spray and raid” tactics to hit as many apps as possible before patches are rolled out, giving them enough victims to make the hacking profitable.

Web Application Scanning: Consider your Components

Dyer and Detoisien discussed two main themes for security professionals to remember to help prevent attacks on web applications:

  • Basic cyber hygiene will address many weaknesses. If your business is able to detect the vulnerability and your security team is able to prioritize the remediation based on the actual cyber risk, this is a hugely important way to help secure web applications, as well as other types of IT assets on the network.
  • Keeping abreast of the latest vulnerabilities and patches can prevent a breach. Many of the most basic web application components, such as jQuery plugin, are widely used, and attackers take advantage of these components for their purposes, so it’s worth keeping up with the latest security alerts and updates from the major application providers.

Once you’ve got the basics down, Dyer and Detoisien recommend making sure you’re assessing all the external components comprising your web applications. These can include web app servers, a CMS, web frameworks, JavaScript libraries and language engines. This involves:

  • identifying all the entry points within various web apps;
  • fingerprinting all components within the app, which can help assess what versions of the components your business is running; and
  • assessing the components for flaws, such as misconfigurations.

Practicing these tactics can take your web application security plan beyond looking at the OWASP Top 10, giving you a much fuller view not only of the apps your business is running, but the components that make up those applications. Armed with this level of detail, your security team can make smarter decisions when it comes to assessing risk and rolling out patches to address critical flaws and vulnerabilities.

Learn More:

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training